OW2 users roles
Context
Most of the time, any third-party application (Atlassian, XWiki, etc) defines its own specific permissions and do not allow to retrieve user<>roles<>permissions association from an external endpoint: It can only see groups and users.
By saying we want a Roles layer to be part of our systems in relation with our apps, we mean to:
- Provide a way to store the user/group<>roles<>permissions<>app mapping in the LDAP directory
- Provide a way to push/sync those mapping to the app (maybe using app's API when possible)
So, maintaining a user/group<>roles<>permissions<>app mapping is a must.
Then, any OW2 own-written app or script have to implements the roles layer to be part of the "system".
Below is an initial list of identified OW2 roles and their possible permissions. Of course, in the final implementation it should be possible to alter permissions to role assignment, anytime.
Definitions
Management Office (MO)
"The Management Office is a small team of professionals appointed to run the day-to-day operations of the Consortium."
Also called MO, see Management_Office.
Entity
"An entity is something that exists in itself, actually or potentially, concretely or abstractly, physically or not." Source Wikipedia. In the scope of OW2, an entity can be an Organisation, Project, User, Member...
User
A user is a human whose life path crosses the one of the OW2 Consortium.
Account
An account is a digital object representing a user. An account has an e-mail address field. Two distinct accounts cannot share the same e-mail address. A user has at least one account except the anonymous user. A user can have several accounts.
Update following a discussion with Benoit: a user is meant to have only one account in the OW2 platform. In case he has several ones, they should be merged. However a user can can several roles.
Organization
An organization is an object entity representing:
- the details of the organization
- a set of accounts
Member
A member is either:
- a user who has an account with which he has accepted (signed) the OW2 by-laws. (commonly called "Individual Member").
- an organization whose legal representative has accepted the OW2 bylaws. (commonly called "Strategic Member" or "Corporate Member").
Project
A project is an object entity representing:
- the details of the project
- a set of accounts
Role
A role is a set of permissions to accomplish specific operations in regard to job functions. An account can have zero, one or many roles. An organization may also have roles. In that case, the accounts belonging to that organization inherit from all its roles.
Users and Groups can be assigned to a role, and the role is in turn associated with a set of permissions.
Individual roles
Anonymous
(=unregistered)
Permissions:
- Browse data from all the public projects
Basic
(inherits from Guest)
Permissions:
- Open issues in a tracker
- Update profile
- Request membership
- Request contribution in project (this implies a registration to the Consortium)
MH : User should be committed to a legal status before it could be assigned to the _Starter Member_ role and further
Starter Member
We need this role if we think "Individual Member", "Corporate Member" and "Strategic Member" roles should be managed separately (exclusive).
If not (inclusive), we can drop/merge it to "Individual Member" role and in such case this role will never be affected as a direct role to a contributor (as the role would always be indirectly inherited). The only direct member of "individual Member" role is someone who isn't contributor, yet.
(inherits Basic)
Permissions:
- Submit a proposal
Individual Member
(inherits Starter Member)
Permissions:
- Vote for a Individual Member Representative (check who can be a representative)
Project Contributor
(inherits from Starter Member)
Permissions:
- Browse the project and contribute to it (VCS, wiki etc.)
- Git : read write
- Bamboo : read write
Project Manager
inherits from Project Contributor
Permissions:
- Administrate his project in all the forge tools (wiki, JIRA, SYMPA, …)
- SYMPA: owner of his list, can request a new list
- Administrate its dashboard page on the OW2 site
- Create a topic in the Programming Contest list
- Edit the TC space on the main site
Manager
inherits Starter Member
MH: typically MO members: we could have a group MO assigned to this role
Permissions:
- Dashboards administration
- SYMPA create list, add / remove user to list
- User Management : add, update, add to group, add roles, remove roles, …
- XWiki : access to all wikis, create space, create page, delete page or space
Administrator
inherits from Manager
Permissions:
- SYMPA admin / listmaster
- User Management admin
- XWiki farm admin : create wikis
ManagementOffice Member
inherits from Manager
Corporate Member Representative
inherits Starter Member (and imply Corporate Member role)
Permissions:
- Vote for a representative corporate member
Strategic Member Representative
inherits Starter Member (and imply Strategic Member role)
Permissions:
- Participates in the board
Individual Member Representative
inherits Starter Member (and imply Individual Member role)
Permissions:
(Check what can do the IM Representative)
OW2 Contact (CRM)
- detailed info can be accessed only by MO
This document was drafted by MH and SL as a Google Doc and was migrated to this wiki in November 2015.
Organizational roles
A user who is a member of an organization inherits automatically the role(s) of the organization he's member of. A user account can be linked only with one organization at most. If a user actually belongs to several organizations, he needs to create several accounts. An organization has one representative member who has special roles.
Corporate Member
Permissions:
- Vote for a corporate Member representative
Strategic Member
Permissions:
- (do not vote)
Associate Member
Permissions:
- (to be defined)